Prolexic sees seven-fold rise in average attack strength
The amount of bandwidth distributed denial of service (DDoS) attackers can generate is skyrocketing, jumping seven-fold quarter-over-quarter, a security company has warned.
In its analysis of attacks over the first quarter of 2013, Prolexic, which provides DDoS protection for firms including the biggest Bitcoin exchange Mt.Gox, found the average attack went up from 5.9Gbps to 48.25Gbps. Ten percent of attacks came in at over 60Gbps.
But the DDoS protection vendor said the high packet-per-second (pps) rates, which averaged 32.4Mpps, were of more concern, especially for those operating at the ISP level. That’s because “most mitigation equipment tends to be limited by pps capacity, not Gbps”, the report read.
Attacks on routing infrastructure proved much more popular than application layer attacks this past quarter. That would indicate the perpetrators are satisfied they will be more successful in using their vast power resources than opting for less data-hungry application-layer hits.
Various big name organisations have been struck down by DDoS attacks in recent months, including Mt.Gox, which claimed to have been downed by an 80Gbps hit.
Prolexic claimed the rises in volumetric attacks came in spite of “grossly inflated” figures cited in attacks on Spamhaus, which some reported had experienced a new DDoS record of 300Gbps. The biggest hit Prolexic saw was 130Gbps.
Prolexic CEO Scott Hammack told TechWeekEurope why he believes the Spamhaus claim was a pack of lies, even though a Tier 1 networking provider TechWeekEurope spoke to said it had a piece of its infrastructure targeted with a 305Gbps attack.
CloudFlare, which was protecting Spamhaus, was criticised for making histrionic claims, in its suggestion that the attacks “nearly brought down the Internet”.
Whatever the real figure, attackers are taking advantage of two trends to generate massive DDoS strikes: cheap, easy access to botnets and open DNS resolvers.
Botnets for DDoS can be rented for an hour from Russian underground forums for just a few dollars, if they are relatively small, or botnets can be bought outright for as low as $700.
As for DNS resolvers, many of which have to remain open for the general Internet to function, they can be used to amplify attacks.
TechWeekEurope highlighted the problem after the Spamhaus hit. In such an attack, the perpetrators send requests to “open recursive resolvers”, used in the DNS process, where URLs are translated to IP addresses, so people can access websites by typing in names (e.g. Google.com) rather than numbers (e.g. 18.104.22.168).
They do this whilst masquerading as their intended target, by spoofing an IP address. Once they have made a large number of requests for DNS files from these open DNS servers, the resolvers respond and send back far more data to the victim than was sent, clogging up infrastructure and taking the target offline.
As there are as many as 25 million of these open resolvers, they offer DDoSers an easy way to generate massive power from little input. Campaigners are attempting to get those running Internet infrastructure to cut the numbers of open servers to just 10 percent of the current global deployment.
What do you know about Internet security? Find out with our quiz!